Data Breach Roundup: OneLogin, Chipotle and Kmart Report Breaches

Data breaches are a part of life in today’s technology-fueled world, but they’re nothing to get complacent about. In this data breach roundup, we talk about three recent data breaches that might have impacted you and detail exactly what happened, who was affected and what the company in question is doing about it.

OneLogin customer data potentially decrypted

What happened: On May 31 at 2 a.m. PT, an unknown hacker — referred to by OneLogin as a “threat actor” — used proprietary keys to access the service’s database tables. The hacker was able to access information about users, apps and various types of security keys, and it’s possible that they were able to decrypt customer data. Because they used an authorized key to access the system, the intrusion went unnoticed for several hours until 9 a.m. PT, though it was shut down within minutes once OneLogin employees were alerted.

Who is affected: Any users served by OneLogin’s U.S. data center have been hit by the breach, according to information provided by the company directly after the attack. It’s important to note that, while OneLogin is similar to a password manager, it is designed for use by enterprise and corporate users to manage IDs and login information for employees. Customers of OneLogin include law firms, hospitals, financial companies and newsrooms, and the site provides a central sign-in point so employees of its customers can securely access their accounts (such as Google or Microsoft). Potentially exposed information includes names and emails, which are not encrypted, but all sorts of information could have been exposed if the hacker successfully decrypted sensitive files.

What OneLogin is doing about it: Customers were immediately contacted via email, and a support page that only customers can access has been set up. OneLogin is working with a cybersecurity firm to assess the damage and learn how the intruder gained access to an internal key in the first place. Customers have been urged to take a number of steps, including changing passwords, generating new API credentials and OAuth tokens and more. Some customers have reportedly had to rebuild their entire authentication security systems, leaving affected employees vulnerable in the meantime. This is the second breach OneLogin has experienced in the past year, which leads to questions about the company’s ability to secure its systems. When it comes to password managers and similar centralized security services, the ultimate nightmare is something like this occurring, which brings into question just how safe it is to trust one service with the keys to your kingdom.

Chipotle malware searched for payment card data

What happened: According to a press release from Chipotle on May 30, a significant portion of its 2,250 restaurants across the U.S. as well as a handful in Canada were impacted by malware. Similar to other data breaches we’ve covered, this one involved malware installed on point-of-sale (POS) devices at restaurant locations. The malware looked for “track data” stored on a card’s magnetic stripe, which can include cardholder names, card numbers, expiration dates and internal verification codes. A small number of affiliated Pizzeria Locale restaurants were also impacted by this malware.

Who is affected: People who visited Chipotle restaurants between March 24 and April 18 and paid with a credit or debit card should be on alert. Locations in Arizona, California, Florida, Illinois and Texas were the hardest hit, but concerned customers should check the list provided by Chipotle at the bottom of the press release on its website to see if they visited any of the affected locations during the times when the malware was active. Not all restaurants were hit, and the dates and lengths vary from location to location.

What Chipotle is doing about it: Though the company first disclosed the breach on April 25, it released more information on May 30 following an investigation by cybersecurity firms, law enforcement and payment card networks. While Chipotle isn’t providing any kind of identity theft protection to potentially impacted customers, it does offer advice for placing fraud alerts and freezing credit on its press release. There is also a phone number concerned customers can call to ask questions.

Kmart experiences second breach in three years

What happened: For the second time in three years, Kmart has experienced a payment card data breach. According to a statement posted on the Kmart website, in-store payment systems at some locations were infected with malicious code that wasn’t detectable by the antivirus software being used at the time. The problem was discovered when evidence of unauthorized credit card activity after customer purchases at some Kmart stores surfaced via financial institutions.

Who is affected: So far, Sears Holdings — the parent company of Kmart — has kept quiet on how many of the 735 locations across the U.S. were affected or the time period in which the breach occurred. Since the investigation is ongoing, hopefully this information will be disclosed once it has concluded. Thus, people who have shopped at Kmart in the past six months or so and used a payment card should be on alert for suspicious activity with their accounts.

What Kmart is doing about it: Since the investigation is still ongoing, there’s no telling what Kmart will do to assist customers impacted by this data breach. The company has apologized and urged customers to check their bank and credit card statements, but without confirmation as to which stores in question were part of the breach, only time will tell as to whether concern is warranted or not for all of its customers across the country. In addition to working with law enforcement and the payment card companies, Kmart has brought in cybersecurity experts to help eradicate the malware and beef up security to hopefully prevent issues in the future.

What is the takeaway for consumers from these breaches?

Although these kinds of data breaches might feel like old news by now, it’s important to stay vigilant as hackers are constantly thinking up new ways to disrupt people’s lives. The good news when it comes to payment card data breaches is that for the most part, they only impact customers who are still using the older, less secure method of swiping their payment cards rather than inserting to have a chip read. Not every financial institution has issued chip-enabled cards to customers yet, and not all merchants have upgraded their systems to be able to accept them, but that is changing day by day. If you have a chip-enabled card, whenever possible try to ensure you use it to reduce your likelihood of becoming victim to a payment card data thief.

When it comes to breaches like the first story we reported, things are less certain, but the biggest lesson to be learned is to take care when choosing a service to use for your security. It’s not always possible to know how secure a service truly is, but if there’s a history of poor standards, you might want to think twice and look for another service to use.

Leave a Reply

Thank you for your comment! It's currently being reviewed by our editors.

About Author

Jocelyn Baird

Jocelyn is a NextAdvisor.com writer with a love for coffee, reading and all things personal security. She currently covers identity theft, credit monitoring and credit cards. She has been a guest on several radio shows nationwide and her cybersecurity and personal finance expertise have been featured by Forbes, USA Today, Kiplinger's Personal Finance, The Huffington Post and more. She is a graduate of Syracuse University with a dual degree in Writing and Rhetorical Studies and Anthropology. Follow her on Twitter @JocelynAdvisor.

Advertiser Disclosure: NextAdvisor is a consumer information site that offers free reviews and ratings of online services. Many of the companies whose services we review provide us compensation when someone who clicks from our site becomes their customer. This is how we make money to support our site. The results of our analyses, calculators, reviews and ratings are based on objective quantitative and qualitative evaluation of all the cards on our site and are not affected by any compensation NextAdvisor may receive. Compensation may impact which products we review and write about and where those products appear. We do not review all products in a given category. All opinions expressed on this site are our own.